IETF Logo Mail Archive

[TLS] Re: [Last-Call] Last Call: <draft-ietf-tls-mldsa-03.txt> (Use of ML-DSA in TLS 1.3) to Informational RFC

Ilari Liusvaara <ilariliusvaara@welho.com> Tue, 02 June 2026 17:17 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id E9E24F969F25; Tue, 2 Jun 2026 10:17:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1780420636; bh=VlLcFilsONyUGrL3mFckaa++Z6LLyzbFq4mOmYTTDV8=; h=Date:From:To:Subject:References:In-Reply-To; b=fb08ypqrl+wYK/CBaDON6npv8euOfbXVISe2r/K89W6x0oKNWclRJ+s28Eqc9vQJP rv1ivOlTakz0/RKgWM6OEwYOiUxBxLF9WGA1WyVvzmOaUXkVgc089162WhC7llLlt8 cVlpUuKjPPcxPmNDlB25UdLYCA4/EUuz23U8cM0k=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=welho.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ggzIdwaFIoYC; Tue, 2 Jun 2026 10:17:15 -0700 (PDT)
Received: from smtp.dnamail.fi (sender001.dnamail.fi [83.102.40.178]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 3ADCFF969E49; Tue, 2 Jun 2026 10:17:03 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by smtp.dnamail.fi (Postfix) with ESMTP id 4CBDE2113904; Tue, 2 Jun 2026 20:17:02 +0300 (EEST)
X-Virus-Scanned: X-Virus-Scanned: amavis at smtp.dnamail.fi
Received: from smtp.dnamail.fi ([83.102.40.178]) by localhost (dmail-psmtp01.s.dnaip.fi [127.0.0.1]) (amavis, port 10024) with ESMTP id 30OOemiMnq50; Tue, 2 Jun 2026 20:17:01 +0300 (EEST)
Received: from LK-Perkele-VII2 (87-92-117-27.bb.dnainternet.fi [87.92.117.27]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: hliusvaa@dnamail.internal) by smtp.dnamail.fi (Postfix) with ESMTPSA id 8849E211489F; Tue, 2 Jun 2026 20:17:01 +0300 (EEST)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp.dnamail.fi 8849E211489F
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=welho.com; s=2025-03; t=1780420621; bh=eD+9DZE8wrXPPPbFm+sviDg5KS6Lr8swX306glN7taY=; h=Date:From:To:Subject:References:In-Reply-To:From; b=Gjpl3psElPAQQk6BlONaxVlcU+lKq39rfDAdAtFBd7LEYLsPtP84w/V0WmAMaZfPZ Fkrp1J4HKqEWVAL48VNRS41+uQb3iwQWArE6ai5cL3sNSaMDxnGL/md2ggleWUYDkK 9o2LgIOYpmlRtyc+vyfJTNLomVSAoVbRb4WET0/7rVvdYili+9zpbwGlTQu1ML+28N ChJpPOtgzIMECWIcXuOd6IP6zN37TAtyu5eo2dG5F2gVoUC9/m7PGIxHCs5yHdu/6q CRhhsf08beUwz38GLrU3puuEmg+dEFNunIJ78G1zS2G/zBpAIaV5DX5oL1cVtNqcwM j94cNgUR/7f6A==
Date: Tue, 02 Jun 2026 20:17:00 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: IETF TLS <tls@ietf.org>, last-call@ietf.org
Message-ID: <ah8QDP5NRfJCQUKd@LK-Perkele-VII2.locald>
References: <20260601204245.2216938.qmail@cr.yp.to> <767067D3-A1FF-452D-B1BE-76B412E75052@vigilsec.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <767067D3-A1FF-452D-B1BE-76B412E75052@vigilsec.com>
Sender: ilariliusvaara@welho.com
Message-ID-Hash: HKNUXJ55ERXD5WV762G7F46HGW3MWGW7
X-Message-ID-Hash: HKNUXJ55ERXD5WV762G7F46HGW3MWGW7
X-MailFrom: ilariliusvaara@welho.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: [Last-Call] Last Call: <draft-ietf-tls-mldsa-03.txt> (Use of ML-DSA in TLS 1.3) to Informational RFC
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/YBm-BKB8YOnKaVmkZhNBD8JPS08>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

On Tue, Jun 02, 2026 at 10:23:00AM -0400, Russ Housley wrote:
> With the notice that you attached to this note, it cannot be used to
> improve the Security Considerations of draft-ietf-tls-mldsa-03.  As
> such, this is very unhelpful.


Maybe something like:
-----------------------------------------------------------------------
Incorrect implementations of ML-DSA signing may leak the private key
along with signatures. While basic testing catches some kinds of
errors, there are errors that can evade such tests.

Examples of such errors are (with algorithms from FIPS 204):

- Incorrectly calculating rhoprimeprime on line 7 of
  ML-DSA.Sign_internal.
- Incorrectly calculating y on line 11 of ML-DSA.Sign_internal, which
  could be caused by incorrect implementation of ExpandMask or
  BitUnpack.
- Omitting norm check on r_0 on line 23 of ML-DSA.Sign_internal.


Tests that could catch such errors include comparing generated
signatures with another independent implementation. Signing with the
same key, randomizer, context and message should always produce the
same signature.
-----------------------------------------------------------------------




-Ilari

v2.46.0 | Report a Bug | By Email | System Status